Researchers discover a widespread, inexpensive malware variant has been redesigned to target both macOS and Windows devices.

Kelly Sheridan, Former Senior Editor, Dark Reading

July 21, 2021

4 Min Read
macOS desktop computer
Guteksk7 via Adobe Stock

Cybercriminals are taking closer aim at Apple machines, as indicated in recent reports that describe multiple occurrences of Windows-focused malware rewritten to target macOS devices.

One of these variants, called XLoader, is a widespread and inexpensive form of malware that was originally written to infect Windows machines. XLoader stems from FormBook, which is among the most common types of malware and has been active for at least five years, Check Point researchers report. As of 2020, FormBook had affected 4% of organizations worldwide.

FormBook was designed as an information stealer to steal credentials from different Web browsers, collect screenshots, monitor and log keystrokes, and download and execute files according to instructions from an attacker's command-and-control server. While different FormBook subscriptions sold for different prices, they were all relatively cheap: Its developer, referred to as ng-Coder, charged as little as $29 per week.

However, criminals quickly noticed FormBook could be used for more than keylogging and turned the malware into a globally used tool employed in massive spam campaigns.

"The FormBook's author put a lot of effort in the malware creation, but curiously enough, he saw its potential no further than being 'a simple keylogger,'" says Check Point researcher Alex Chailytko. With FormBook targeting organizations around the world, its author decided to stop sales of the malware.

It's worth noting this didn't rid the world of FormBook, researchers report. People who bought the malware to host on their own servers could continue to use it, as could its developer.

FormBook reappeared on underground forums in February 2020 under the new moniker XLoader, with a new avatar. While both variants share the same code base, XLoader comes with a few key changes, including its ability to infect macOS systems. Attackers can buy XLoader licenses on the Dark Web for as low as $49.

XLoader is usually spread via spoofed emails that trick victims into downloading and opening a malicious file, typically Microsoft Office documents. The malware enables attackers to harvest credentials, collect screenshots, log keystrokes, and execute malicious files. An intriguing feature is its ability to deceive sandboxes and researchers by hiding its C2 servers, researchers report: Of the 90,000 domains XLoader uses in network communication, only 1,300 are the real C2 servers – just 1.5% of the total. The other 88,000 domains belong to legitimate websites.

"We call this process a 'logical evolution,'" says Chailytko, of the changes made in XLoader. "The actors behind XLoader took the best bits of FormBook and enhanced certain features to make new malware even more sophisticated than before."

Researchers are not certain the revamp is the work of FormBook's original author; however, they saw evidence that the current XLoader seller and FormBook developer are connected.

FormBook/XLoader attack activity is not slowing down: In the six months between Dec. 1, 2020, and June 1, 2021, Check Point saw malware requests from as many as 69 countries. Victims from the US constitute more than half of victims worldwide.

Cyberattacks Set Sights on Macs
FormBook/XLoader is not the only malware that has been adjusted to target macOS machines.

Apple sold 20 million Mac and MacBook devices in 2020, data shows, and the growth in Mac use is appealing to criminals seeking to diversify their targets. While you don't see malware migrate to macOS every day, the occurrences are growing more frequent, research indicates.

Kaspersky researchers tracking Milum, a malicious Trojan used by the WildPressure APT, recently disclosed their findings of newer versions written in different programming languages. One new version was able to infect and run on both Windows and macOS, they report. Milum sent information about the programming language on a target device back to the attackers.

Multiplatform malware designed to infect devices running macOS is rare, researchers noted.

"The reason behind the development of similar malware in multiple languages is probably to decrease the likelihood of detection," said Denis Legezo, senior researcher for GReAT at Kaspersky, in a statement. "This strategy is not unique among APT actors, but we rarely see malware that is adapted to run on two systems at once, even in the form of a Python script."

An analysis of 2020 malware activity indicates enterprise environments using Macs should be alert as criminals take aim at the Apple operating system. Malwarebytes researchers found Windows malware detections dropped 24% among businesses in 2020; in the same period, Mac malware detection increased 31% for organizations but dropped 40% among consumers.

While this research focuses on macOS, iPhone users should also be diligent about protecting their devices and applying security fixes. Apple this week released security updates to address vulnerabilities in iOS 14.7, Safari 14.1.2, macOS Big Sur 11.5, macOS Catalina, and macOS Mojave. More information about the vulnerabilities patched this week can be found here.

About the Author(s)

Kelly Sheridan

Former Senior Editor, Dark Reading

Kelly Sheridan was formerly a Staff Editor at Dark Reading, where she focused on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights